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Method for defence against attacks taking place by means of differential power analysis 



The present invention relates to a method for defence against at least one 
attack which is made by means df differential power analysis in at least one hyperelliptic 
cryptosystem, in particular in at least one hyperelliptic public key cryptosystem, which is 
given by at least one hyperelliptic curve of any gen\is over a finite field in a first group, 

5 where the hyperelliptic curve is given by at least one co-efficient. 

Although until recently elliptic cryptosystems (= systems based on E[lliptic] 
C[urve] C[ryptography]) were considered faster Hbm hyperelliptic cryptosystems (= systems 
based on H[yperelliptic] C[urve] C[ryptography]), even in the past the use of Jacobian 
variations of hyperelliptic curves over finite bodies was proposed as an alternative to elliptic 

1 0 curves for cryptography (see Neal Koblitz, "A femily of Jacobians suitable for discrete log 
cryptosystems", in S, Goldwasser (Ed), "Advances in Cryptology - CRYPTO '88", Vol 403 
of "Lecture Notes in Con^uter Science", Pages 94 to 99, 21st to 25th August 1988, Springer- 
Verlag, 1990; Neal Koblitz, "Hyperelliptic Cryptosystems", Journal of Cryptology 1 (1989), 
Pages 139 to 150), 

1 5 Two more recent developments however now show that the view that ECC 

systems were faster than HEC systems should be changed: 

In September 2002, Kim Nguyen (Philips Semiconductors) presented the 

results of his implementation of Tanja Lange' projective formulae (see Tanja Lange, 

"Inversion-Free Arithmetic on Genus 2 Hyperelliptic Curves", Cryptology ePrint Archive, 
20 Report 2002/147, 2002, ht^://eprint.iacr,org/) in genus 2 on an experimental hardware 

simulator at ECC 2002 "Workshop on elliptic curve cryptography" m Essen. The results 

suggest the competitiveness of HEC. 

Shortly afterwards J, Pelzl, T. Wollinger, J. Giuajardo and C. Paar described 

highly efficieait formulae for genus 3 curves (J. Pelzl, T. Wollinger, J, Guajardo, C. Paar, 
25 "Hyperelliptic Curve Cryptosystems: Closing the Performance Gap to Elliptic Curves"), 

including a drastic improvement of the doubling times in one inqportant case and 

ii£qplementation on an "embedded microprocessor" (ARM7). 

With the efficient implementation of HEC-based systems on hardware, in 

particular on chip cards, the question arises directly of the security of HEC in relation to 
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differential power analysis. Differential power analysis was introduced by P. Kocher, J. Jaffe 
and B. Jun in two works (see. P. Kocher, J, Jaffe and B. Jun, "Introduction to Differential 
Power Analysis and Related Attacks", http://wwwxr)^tography.coni/dpa/technical, 1998; P. 
Kocher, J. Jaffe and B. Jun, "Differential Power Analysis", Lecture Notes in Computer 
5 Science, Vol. 1666, Pages 388 to 397, Springer-Verlag, Berlin, Heidelberg, 1999) and is 
described in the cited works. 

Brief descriptions of differential power analysis are also given in 

- sections 3.2 and 3.3 of the work by M, Joye and C. Tymen, "Protection 
against Differential Analysis for Elliptic Curve Cryptography - An Algebraic Approach" in 

10 C. K. Koc, D. Naccache and C. Paar (Ed.): CHES 2001, "Lecture Notes in Computer 
Science", Vol, 2162, Pages 377 to 390, Springer-Verlag, Berlin, Heidelberg, 2001 or 

- section 3 of the work by J.-S. Coron, "Resistance against Differential Power 
Analysis for Elliptic Curve Cryptosystems" in C. K. Koc and C. Paar (Ed.): CHES *99, 
"Lecture Notes m Computer Science", Vol. 1717, Pages 292 to 302, Springer-Verlag, Berlin, 

15 Heidelberg, 1999, 

Such DPA attacks measure the current consumption of cryptographic 
apparatus during processing of various inputs and set the measurements in correlation with 
the values of defined bits in the internal representation of data. The idea of differential power 
analysis is however very general and also functions with further physical values e,g, 
20 electromagnetic radiation. 

The previous depictions for inq>lementation of HEC-based crjrptosystems 
were mainly focussed on the efficiency of in^lementation and neglected the resistance of 
in^lementation to attacks by means of differential power analysis. 

Starting from the above disadvantages and inadequacies, and with an 
25 assessment of the outlined state of the art, the present invention is based on the object of 
refining a method of tibie type cited initially so that an essential contribution can be made 
towards an efficient and secure itcq>lementation of systems based on hyperelliptic 
cryptography. 

This object is achieved by a method with the features given in claim 1 . 
30 Advantageous embodiments and suitable refinements of the present invention axe 
characterised in the sub-claims. 

The present invention is thus based on the principle of providing counter- 
measxires for defence against attacks based on differential power analysis m the 
implementation of hyperelliptic cryptosystems, and in particular in that scalar multiplication 
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on the Jacobian variation of a hyperelliptic curve is made resistant to differential power 
analysis by curve randomisation (in the sense of a hyperelliptic analogon of randomisation of 
curves in the work cited above by M. Joye and C. Tymen) and/or by divisor randomisation 
(in the sense of a hyperelliptic analogon of the third counter-measure of the work cited above 
by J.-S. Coron: Randomisation of points - here divisor randomisation). 

In this way the invention described makes an essential contribution towards 
efficient and secure implementation of h[yperelliptic] c[urve] c[ryptography]-based systems 
Le. in the direction of robustness and security of HEC-based cryptosystems against such DP A 
attacks, where in addition to the techniques and feasibility, the complexity of such methods 
will also be considered below. 

The basic concept of curve randomisation is to modify the bits of the operand 
in an unforeseeable way. To this end the desked calculation is performed not in the given 
gioup but in a second group, randomly generated but isomorphic; the result is then related 
back to the first group. 

The basic concept of divisor randomisation is to modify the bits of the 
depiction of a reduced divisor, which is normally the base element of the cryptosystem or an 
mtennediate result of scalar multiplication. The technique of divisor randomisation can be 
used whenever a group element can be depicted in several different ways. 

The present invention relates to furthermore a microprocessor working 
according to a method of the type described above. 

The present invention further relates to a device, in particular a chip card 
and/or in particular a smart card, havmg at least one microprocessor according to the lype 
described above. 

The present invention fmsHy relates to the use of: 

- a method according to the type described above and/or 

- at least one microprocessor according to the type described above and/or 

- at least one device, in particular at least one chip card and/or in particular at 
least one smart card, according to the type described above, 

m the defence of at least one attack made by means of differential power 
analysis on at least one hyperelliptic cryptosystem, in particular on at least one hyperelliptic 
public key cryptosystem; here a public key cryptosystem normally uses an asymmetric 
encryption method. 
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As already described above, there are various ways of structuring aad refining 
the teaching of the present invention advantageously. For this reference is made to the claims 
following from claim 1. 

The invention will be further described with reference to examples of 
embodiments shown in the drawing to which however the invention is not restricted. 

Fig. 1 shows diagrammatically an embodiment example of a method according 
to the present invention based on a principle of curve randomisation. 

Before explaining the method of curve randomisation below on the basis of a 
first embodiment example, for an application-oriented introduction to the theory of 
hyperelliptic curves reference is made to "A. Menezes, Y.-H, Wu and R. Zuccherato, "An 
Elementary Introduction to Hyperelliptic Curves", Appendix inNeal Koblitz, "Algebraic 
aspects of cryptography", Algorithms and Computations in Mathematics, Vol. 3, pages 155 
to 178, Springer-Verlag, 1998, 

The notation used below deviates from this work by following the notation 

according to: 

- TanjaLange, "Inversion-Free Arithmetic on Genus 2 Hyperelliptic Curves", 
Cryptology ePrint Archive, Report 2002/147, 2002, http://eprint.iacr.org/, 

- TanjaLange, "Weighted Co-ordinates on Genus 2 Hyperelliptic Curves", 
Cryptology ePrint Archive, Report 2002/153, 2002, http://eprintiacr.org/, and 

- J, Pelzl, T. Wollinger, J. Guajardo, C. Paar, "Hyperelliptic Curve 
Cryptosystems: Closing the Performance Gap to Elliptic Curves". 

Starting from two hyperelliptic curves C, C of genus g>l over the finite field 
K, a K-isomorphism ^:C->C can clearly be expanded into a K-isomorphism of the Jacobian 
variation ^' J(C) -> J(C). Instead of calculatmg g = nD in /^^C;(K), where w is a natural 
number and D an element of J(C)()^^ then 

Q = <^ '{7i<j>{D)) (1) 

is executed. 
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This means in other words that the diagram in Fig. 1 is commutative and that 
in this diagram according to the invention the longer route via J(C;(K) is taken (the reference 
"x m Fig. 1 means "multiplied with «*'). 

In this context the counter-measure implemented by this K-isomorphism of the 
5 Jacobian variations to protect against attacks made on the basis of differential power analysis 
is particularly successful if the depictions of the co-efficients of curve C and the elements of 
J(C)(K) differ greatly from the depictions of the images under ^ . This can for example be 
achieved by multiplication of all operands with random figures. 

The description below shows not only that this is possible, but also that only a 
10 few field operations are required for this. 

One practical inq}lementation of the principle outlined above of curve 
randomisation by means of general isomorphism of curves first assumes that 

- g > 1 is a natural figure 

- K is a finite field and 

15 - C C are hyperelliptic curves of genus g, which are defined by WeierstraB 

equations 

C : y^ + ft(a:)l/-/(a^) = 0 

C : y^ + ^(a:)y-/(a:) = 0 (3) 
over the field K where 

- the polynomial/, / are standardised by degree 2g+l in x and 
20 - h(x), h(x) has maximum degree g. 

The hyperelliptic curve C (like the hyperelliptic curve C) has no singular 
affine points i.e. there are no pairs (x, >;) s K x K, which sunultaneously fulfil the equation/ 
+ h(x)y 'f(x) 0 and the partially derived equations 2yirh(x) = 0 and 
h'(x)yiP(x) = 0, An equivalent condition is that the discriminant Arf(x) + h(xf does not vanish 
25 (see Theorem 1.7 from P. Lockhart, "On the discrimmant of a hyperelliptic curve", Trans. 
Amer. Math. Soc. 342 (1994), No. 2, Pages 729 to 752, MR 94f:11054), Similar conditions 
apply to C, 

The non-afSne point of the projective con^)letion of C (or C) is known as 
"mfinite". All K-curve isomorphisms ^; C -> C can be described by variable transformation 
30 of the form 

^ : (a;, y) ^ (fi-'a; + 6. ^-(^P+Dy + A{x)) (4) 
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(see Proposition 1.2 from P. Lockhart, "On the discriminant of a hyperelliptic 
curve", Trans. Amer. Math. Soc. 342 (1994), No. 2, Pages 729 to 752, MR 94f:11054), for 
suitable j 8 K", 6 e K and A(x)s K[x] of degree ^ g. 

If jc or ;y in equation (3) can be replaced by s'^x + 6 or s^^^'^y + A(x), by 
comparison with equation (2) it can be concluded that 
\ h{x) = 8^"+^ (h{8-^x + b) + 2 A{,x)) 
[ f(x) = 5=<'»+') + 6) - A(a:)« - h{a-^x + b)A{x)). 



(5) 



The inverse transformation is 

I fix) = 5-2^^^+'^ fix) + s<^'-^'^h{x)A{x) - A{x)^ (6) 
where i = s^{^-b). 

The isomorphism feature ^: C-^C induces an isomorphism of groiq) 
10 variations ^; J(C) -> JifC/ The Jacobian variation of a curve C is canonically isomorphic to 
the ideal class group C^(C), which is more suitable for e^qplicit calculations; consequently it 
must be foimd how ^ operates as function C1^(C) -> C^(C), 

It should be noted here that m D. Cantor, "Computing m the Jacobian of a 
hyperelliptic curve", Mathematics of Computation, 48 (1987), Pages 95 to 101, algorithms 
15 were developed for the calculations in the ideal class group with the depiction in D. 

Mumford, "Tata Lectures on Theta H", Birkhuser, 1984 which are outlmed briefly below: 
Let D be the sole main divisor of degree < g in a given divisor class to C, i.e. 

D = 2pflSWp^-(2p£5''Wp)infiiiite, 

- where the finite point set jS is a part set of C(K) and is designated as a carrier 

20 of D and 

- where the multiples m/ are positive integers with ILpes^np <^ g . 

Then the ideal class belonging to main divisor D is given by a pair of clearly 
defined polynomials U(t), V(t) s KM with the following properties: 
g ^ degtt/^ degtK, U is standardised and 

ju(t)^\l(t-x,r 

I Pes 

25 I V(Xp )=yp for all P s (7) 

\ U(t ) divides V(t)2 + V(t)h(t) - f(t) 
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According to the following nomenclature [U(t), V(t)] depict the reduced 

divisor Z). 

The ami is to find two polynomials t/(*), V{t) e K[/] which have similar 
properties U(t), V(t) but belong to divisor <p(D) = ILp^mp ^ (P)-(Xpesmp)it^^ to C instead D. 
5 In other words this means that for all field extensions L/K the following relations apply: 

P€5 NF€5 / Pes \P€^S / 



10 



It is clear how the desired polynomials must be constructed. Clearly: 

u{t) = n (* - '^^inT" = n (* - '-''^f - ^y^" 

p^s Pes (8) 

Furthermore V(x^(p)) ^yt(P) for all P s jS, i.e. 

A suitable candidate is 

V[f) = ,5-(2ff+^)y (^^(i -b)) + A {s^i - b)) (9) 

In fact equation (8) and equation (9) give the correct answer; this is due to the 
unambiguity of the depiction of a reduced divisor: U {t) and V{t) are defined over K, degV = 
15 degF< degl7= degt/ and the findmg that U {t) in fact divides V{tf + V{tyi(t) - /(t) is easy. 
The case is now considered below where K is a field of uneven characteristic. 
It is assimied that h(x) = h(x) « 0, then the defining equations with the variable transformation 
according to y->y- h(x)l2 and y-^y- h(x)l2 can always be brought into this form. The 
advantage is that the Cantor algorithm runs much more quickly and for the same reason 
20 eiq)licit formulae in uneven characteristic were developed under the above assun^tion. The 
equations for Q C are 

C : 3/^-/(a;) = 0 (10) 
C : y^-/(a;) = 0. (11) 

This means in equation (6), ihaiA(x) = 0, 

If char K ^ 2g+ 1 then furthermore it can be assumed that the co-efficient^^g 
25 (and that hi f(x)) belonging to the second highest power of (x) m f(x) vanishes as a variable 
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transformation according x-^x- f2^(2g^l) can always be carried out In this case by virtue 
of equation (6), necessarily 6 = 0, 
Thus ^ is of the type 

5 with s E K^. With regard to the uneven characteristic, only isomorphisms of this type need to 
be considered, even if char K = 2g+l, The formula for / is then 

This randomisation changes all co-efiFicients of the WeierstraB equation and 
the two polynomials representing the reduced divisor (excluding those hard-wired at 1), 
10 namely 

Consequently this randomisation can be considered a secure counter-measure 
for defence against attacks based on differential power analysis in implementations of 
hyperelliptic cryptosystems with a field K of iineven characteristic. 
15 In an explicit description of this very rapid curve can randomisation achieved 

by means of an implementatory trick, with a field K of \meven characteristic first a random . 
element 5 e is selected and then its multiplicative inverse calculated. This is because s'^ is 
required for ^ and s for . 
^is now described in detail below. From 



20 



we can get 



2p-3 
i=0 



For general U(t) and V(t) 

0^} 5-1 

Uit)^t' + '^Uit' and \/(i) = ^ViiS 

issO <=Q 



25 so tiiat 



wo 2004/112306 



9 



PCT/IB2004/050813 




U{t) = + 



Y,s^''^'Uit' and y(t) = ;^52i-(2i,+i)|^^t< 




Li order to apply to the curve and to a base divisor [U(t), V(t)], is 



calculated for = 2, 3, 2g+l in succession: 

- if ik is even, then Ug^cn and (if k is not equal to 2) f2g¥i-hn is multiplied by 



For fc = 2g+2, 2gH-4, 2(2g+l), is calculated by repeated multiplication 
with s'^ and f2g^i.m multiplied by 5 * . Together these are 7g+l multiplications; ^"^ requires 
only 4g multiplications in KL 

If the curve or at least one base field is established, there is also an 
1 0 implementatory trick which can be used to avoid calculating the inversion s'^ of the element s 
on each use of the cryptographic device. 

From the outset, during the initialisation phase of the cryptographic device a 
pair of field elements (so, sq^) are generated at random together with several further such 
pairs (Ki^f^) and stored in the E^PROM. 
15 Then before each cryptographic operation an index / is selected at random; 

thus (so, so^) is replaced in the E^PROM by (Ki-so, Kf^so'^) . The latter pair is then used 
instead of (s, s'^) for curve randomisation in the current run of the cryptogmphic device. 

To summarise it can be found that curve randomisation in uneven 
characteristic is an effective and efficient protective measure against attacks based on the 
20 method of differential power analysis. The total count of the necessary field operations in K 
is 1 lg+1 . To summarise it can be found that curve randomisation in uneven characteristic is 
an effective and efficient protective measure against attacks based on the method of 
differential power analysis. The total count of the necessary field operations in K is 1 Ig+L 

In practice this is comparable to the number of field operations for individual 
25 groxq> operations and often far fewer than indicated by the formulae in 

- TanjaLange, "Inversion-Free Arithmetic on Genus 2 Hyperelliptic Curves", 
Cryptology ePrint Archive, Report 2002/147, 2002, http://eprint.iacr.org/, 

- TanjaLange, "Weighted Co-ordinates on Genus 2 Hyperelliptic Curves", 
Cryptology ePrint Archive, Report 2002/153, 2002, htfp://eprintiacr.org/ and 

30 - J. Pelzl, T. WoUinger, J. Guajardo, C, Paar, "Hyperelliptic Curve 

Cryptosystems: Closing the Performance Gap to Elliptic Curves". 



5 



- if /r is uneven, Vg^ijn is multiplied by 5* • 
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10 



15 



The arguments presented above with regard to the general isomorphisms of 
curves also apply unchanged for the case discussed below, where K is a field of even 
characteristic. In this case however h(x)h(x) must no equal zero; in other words this means 
that the use of general isomorphisms is less efficient than in the case of uneven characteristic. 

Instead of the general isomorphisms according to equation (4), it is assimied 
that 6 = 0 and.4(3cj = 0 and worked as in the case of uneven characteristic. The isomorphisms 
of the form 

0 : (a;.y)i-> (5-2a:,s-<2ir+i)j,) ^ (12) 

for general s s F2d \ F2 randomise all co-efficients of the equation as follows: 



J/i{a;) = 5-' 



As in the explicit description above of the very rapid curve randomisation 
achieved by means of an implementatory trick with a field K of uneven characteristic, also 
with an explicit description of the very rapid curve randomisation performed by means of an 
implementatory trick with a field K of even characteristic of 



then 



and the formulae for £/, V agam read 

20 It can be concluded that no general isomorphisms of the type according to 

equation (4) are required but that those of the type according to equation (12) suffice to 

randomise efficiently all bits of the internal depictions. 

The co-efficients ofh(x) are calculated firom the co-efficients of h(x) in the 

same way as the co-efBcients ofV(t): For A: = 3, 5, 2g+l then Vg.^.i)t2 and hg^.i)n are 
25 multiplied by s'\ also hg is multiplied by s"^ ; this means that at most g+1 field operations 

more are required than in the case of uneven characteristic and all costs for the use of ^ are 
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8g+2 multiplications after s has been selected and s calculated. The implementatory trick 
described above is not necessary here as the inversion is sufficiently fast in binary bodies. 

Below a case distinction is examined for constant h and for non-constant h but 

defined via F2: 

For even characteristic it must be noted which problems occur if the co- 
efficients of the defining equations axe restricted for throughput reasons, where the simplest 
case should be considered that h(x) is a non-vanishing constant, since in equation (6) h(x) is 
also constant and non-vanishing. 

Now however it is a known result of algebraic geometry that curves with 
equation y + cy ^f(x) with non-vanishing c and with deg/= 5 supersingular (see Theorem 9 
in S. D. Galbraith, "Supersmgular curves in cryptography", in C, Boyd (Ed..), ASIACRYPT 
2001, "Lecture Notes in Computer Science", Vol. 2248, Pages 495 to 5 13, Springer-Verlag, 
2001) are not suitable for the cryptographic applications of interest here. 

In contrast no hyperelliptic curve of genus g = 3 in even characteristic is 
supersingular (see J. Scholten and H, J. Zhu, "Hyperelliptic curves in characteristic 2", Inter, 
Math. Research Notices, 17 (2002), Pages 905 to 917), thus in principle curves with equation 
y + ^f(x) with non-vanishing c and with deg/= 7 can be used on the condition that the 
expansion degree and group order are selected suitably. 

Although in the work submitted by J. Pelzl, T. Wollinger, J, Guajardo and C. 
Paar "Hyperelliptic Curve Cryptosystems: Closing the Performance Gap to EUiptic Curves" 
gives a very rapid doubling formula for the case h(x) = 1, the speed of divisor doubling can 
be substantially accelerated also if h(x) is a non-vanishmg constant. If h(x) = s^^% = s^c\ 
this makes the case of curves of genus g — 2 important. 

In the case of a non-constant h , the co-efficients of h(x) for reasons of speed 
are often selected m F2 (see for example Tanja Lange, "Inversion-Free Arithmetic on Genus 2 
Hyperelliptic Curves", Cryptology ePrint Archive, Report 2002/147, 2002, 
http://eprmtiacr.org/, or Tanja Lange, "Weighted Co-ordmates on Genus 2 Hyperelliptic 
Curves", Cryptology ePrmt Archive, Report 2002/153, 2002, htlp://epTintiacr.orgO. 

In this case of a non-constant h defined however over F2, on the basis of 
equation (6) there is an equivalence with the followmg question: If h(x) s F2M, for which b s 
K and for which sBl^is h(x) = s<^^^^h(s\x'b)) s F2M? 

If r = (2g+l) - 2 deg h, the leading co-efScient j ' of h(x) is equal to one, since 
this leading co-efficient does not vanish; figure r is uneven, positive and < 2^-1 . 
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The cryptosystem must resist the index calciilus attack by Gaudry (see P. 
Gaudry, "An algorithm for solving the discrete log problem on hyperelliptic curves", in 
"Advances in Cryptology - Eurocrypt 2000", Pages 19 to 34, "Lecture Notes" m Computer 
Science, Vol. 1807, Sprmger-Verlag, Berlin, Heidelberg, 2000) i.e. if g ^ 4; then r < 7, and 
for r there are only very few possible values; this makes its randonusation uimecessary. 

Let the extension degree = [K : F2]. 

In this context it should be noted that for protection against attacks by Weil 
descent (see G. Frey, "How to disguise an elliptic curve (Weil descent)", Talk at ECC '98, 
Waterloo, 1998 (slides available at http://www.cacr. math.uwaterloo,ca/ 
conferences/1 998/ecc98/sl ides.html); G. Frey, "Applications of arithmetical geometry to 
cryptographic constructions", in "Finite fields and applications (Augsburg, 1999), Pages 128 
to 161, Springer, Berlin, 2001) for extension degree d either a primary number/? is selected 
in the order of ^ 160/g or twice a primary number j? in the order of > 80/g . 

The possible values of 5 are zero digits of irreducible factors of-X^-1, the 
degree divides by rf. If t/=p ^ 160/g k 40 (= preferred case), then 5 = 1; if t/= 2p with p ^ 
80/g k 20, s can only be a zero digit of a fector via F2 ofJCA of degree 1 or 2. A rapid listing 
of such factors (it should be noted that r is uneven and ^ 7) shows that either 5 = 1 orr = 3 
and / + 5 + 1 = 0. If two co-efficients ofh(x) do not vanish, then always 5=1. 

If we now start fromcr a as Frobenius automorphism of K/F2, then h(' 
= /^(.b)"^ = h(-b)sF2 for all j, because h(x) = h(x-b) s F2M. This means in other words 
that all conjugates of -6 are under the Frobenius solutions of h(x)'h('b) = 0, If b is not an 
element of F2 there are at least p ^ 80/g such conjugations, wherein the degree ofh(x) is at 
most g ^ 4. For this reason b must be an element of F2: there are only two possibilities for 6, 
so randomisation of b is pointless. 

It can thxis be concluded that the relevant isomorphisms are of lype 

vfhoTeA(x)BK[x] is of degree^g . 

In the sense of a hyperelliptic analogon, the situation here is similar to the 
situation described in the said work by M. Joye and C, Tymen m the randomisation of elliptic 
curves as only one of the two polynomials or only half of the co-ordinates can be randomised 
efficiently. 
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In fact the situation is even worse as according to equation (6) not all 
co-efQcients of f can be randomised to f ^ which increases the probability of a successful 

attack based on differential power analysis if curve randomisation alone is used. 

To summarise, for the method described above of curve randomisation it can 
5 be found that this counter-measiire for hyperelliptic curves of genus 2 in even characteristic 

- either is not adequate because two few co-efKcients can be randomised, 

- or inhibits the power of the cryptographic system as the counter-measure 
uses the general isomorphisms according to equation (4) and leaves the co-efficients ofh 
lymg outside (4) F^. 

10 In the case of genus 3 the curves for equation;/^ + cy '=^f(x) and general 

isomorphisms can be used. In this case it is sufficient to fix in equation (4) 6 0 and A(x) — ^ 
and proceed as at the end of the previous description for ^e case of uneven characteristic in 
order to randomise all co-efficients reasonably. 

In all further cases other techniques are recommended such as divisor 

1 S randomisation which also works in uneven characteristic and which is explained below as a 
second embodiment example which can be implemented 

- in combination with the first embodiment example of curve randomisation or 

- independently of the first embodiment of curve randomisation. 

In the technique of divisor randomisation the bits of the depiction of a reduced 
20 divisor which is normally the base element of the cryptosystem or an intermediate result of 
scalar multiplication are modified. The technique of divisor randomisation is used if a group 
element can be depicted in several different ways. 

Noteworthy examples firom the prior art are the projective co-ordinates on 
elliptic curves: two triplets PC,Y,Z) and QC, F, V) represent the same point if a non- 
25 vanishing element s exists in the base field such that Ar= sX!^ 7= sY' and Z = sZ\ In the 
Jacobian co-ordinates (see D. V. Chudnovsky and G. V. Chudnovsky, "Sequences of 
numbers generated by addition in formal groups and new primalily and factoring tests". 
Advances m Applied Mathematics, 7 (1987) , Pages 385 to 434), two triplets QC,Y,Z)wcA 
OC, T, Z') represent the same pomt ifX^ 7 = s^F and Z = jZ' with s s K^ 
30 Recently alternative co-ordmate systems were proposed for hyperelliptic 

curves of genus 2. An inversion-free system by Miyamoto et al. (see Y, Miyamoto, H. Doi, 
K. Matsuo, J. Chao and S, Tsuji, "A fast addition algorithm of genus two hyperelliptic 
curve", in Proceedmgs of SCIS 2002, lEICE Japan, Pages 497 to 502, 2002, in Japanese), 
which operates on the hyperelliptic correspondence of the projective co-ordinates for elliptic 
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curves, has been extended and improved by Lange (see Tanja Lange, "Inversion-Free 

Arithmetic on Genus 2 Hyperelliptic Curves", Cryptology ePrint Archive, Report 2002/147, 

2002, ht^://eprint.iacr.org/), who also developed a correspondence of Jacobian co-ordinates, 

namely the weighted co-ordinates (see Tanja Lange, "Weighted Co-ordinates on Genus 2 
5 Hyperelliptic Curves", Cryptology ePrint Archive, Report 2002/1 53, 2002, 

http://eprintiacr.org/). No similar systems are known for genus 3. 

The greater the genus of the curve, the smaller - for the same group order - is 

the base body, and hence the speed ratio of inversions to multiplications is smaller. This 

makes inversion-free formulae less attractive for genus 3 as one inversion is exchanged for 
1 0 many multiplications. However there axe already efficient bit randomisation processes for 

curves of genus 3 both for uneven characteristic and for even characteristic. 

In projective co-ordinates (genus 2) a divisor D with associated polynomial 

pair is shown as a quintuplet \Ui, Uq, Vi, Vo, Z\ where 

U(t) ^t^+Ujt/Z-^ UolZ and V(t) = Vi tiZ + VqIZ, 
1 S The divisor randomisation works as follows: A random szY^ is selected and 

the following conversion applied: 

\Uh Uo, Vi, Vo. Z\ -> [sUi, sUo, sVi, sVo, sZ\. 

Jn weighted co-ordinates a divisor D is shown by a sextuplet [Ui, Uq, Vi, Vo, 

Zu ZJ where U(t) = + UitlZi^ + CVZ/ and V(t) = Vit/(Z/Z^ + Vti(Zi^Z^. 
20 To ntiake a base divisor or an intermediate calculation invisible, two elements 

su S2 hi are selected at random and the following transformation performed: 

[Ui, Uq, Vi, Vo, Zi, Z2\ \s^Uu si^Uq, s/siVi, si^S2Vq, sjZx, S2Z2] 
If the additional optional co-ordinates 

Z2 ^ Zi^ Z2 ~ Z2 ^ Z3 — ZiZ2 and Z4 — ziZ2 ~ zs 
25 are used, these additional optional co-ordinates must also be updated; the 

quickest way of updating is to recover them from the images of Zi and Z2 by three 

quadrations and a multiplicatioiL 

The two measures proposed according to the invention namely the measure of 

curve randomisation (= first embodiment exan^le) and the measure of divisor randomisation 
30 (- second embodiment example) each individually and in combination reinforce the 

hyperelliptic cryptosystems against differential power analysis. Both the technique of curve 

randomisation and the technique of divisor randon:iisation are simple to introduce and only 

have a negligible effect on the throughput 
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The method accordmg to the &st embodiment example i.e, curve 
randomisation, transports the scalar multiplication in the Jacobian variation into a randomly 
selected isomorphic group. Scalar multiplication is performed in this second group and the 
result of the scalar multiplication returned to the first group. The method of curve 
5 randomisation can be applied to curves of any genus. 

The method according to the second embodiment example, i.e. divisor 
randomisation, is a hyperelliptic variant of Coron*s third counter-measure. Divisor 
randomisation can only be applied in curve families of which the co-ordinate systems are 
known for group operations in the associated Jacobian variation which correspond to the 
10 elliptic projective or Jacobian. 

The two counter-measures described above for defence of attacks based on 
differential power analysis on implementations of hyperelliptic cryptosystems can be used 
independently of each other or simultaneously. 
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REFERENCE LIST: 



C hyperelliptic curve 

C transformed hyperelliptic curve 

D divisor, in particular reduced divisor 

g genus 

J Jacobian variation 

K field, in particular finite field 

n scalar 

s element, in particular non-vanishing element 

si first element, in particular non-vanishing first element 

S2 second element, in particular non-vanishing second elemrat 

t variable 

^ depiction 

(^^ inverse depiction 

\Uu Uo. Vu Vo, Z\ quintuplet 
[sUu sUo, sVj, sVo, sZ\ converted quintuplet 

\Uu Uo. Vu Vo, Zu Z2\ sextuplet 
\siUu si^Uo, si^S2Vu si^S2Vq, siZu stZi^ converted sextuplet 



